Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52750

CVE-2026-52750: Ghidra RCE Vulnerability via URL Injection

CVE-2026-52750 is a command injection vulnerability in Ghidra before version 12.1 on Windows that enables remote code execution. Attackers exploit improper URL escaping to run arbitrary commands. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-52750 Overview

CVE-2026-52750 is a command injection vulnerability in Ghidra versions prior to 12.1 on Windows. The flaw resides in the URL annotation handler, which fails to escape cmd.exe metacharacters when launching the system browser. Attackers can embed malicious URLs inside program comments or annotations. When a victim clicks the annotation, Windows executes attacker-controlled commands under the Ghidra user's privileges. The issue is tracked under CWE-88: Improper Neutralization of Argument Delimiters. Ghidra is the National Security Agency's open-source software reverse engineering suite, widely used by malware analysts and vulnerability researchers who routinely open untrusted binaries.

Critical Impact

Opening a malicious Ghidra project or clicking a crafted URL annotation triggers arbitrary command execution on Windows hosts.

Affected Products

  • Ghidra versions before 12.1 on Windows
  • NSA Ghidra reverse engineering framework
  • Workstations running Ghidra projects shared from untrusted sources

Discovery Timeline

  • 2026-06-10 - CVE-2026-52750 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-52750

Vulnerability Analysis

The vulnerability stems from unsafe construction of a Windows command line when Ghidra opens a URL referenced inside a program annotation or comment. On Windows, Ghidra invokes the default browser through cmd.exe, which interprets shell metacharacters such as &, |, ^, and %. The URL handler passes user-controlled annotation content into the command string without quoting or neutralizing these characters. An attacker who can supply a Ghidra project, archive, or shared analysis file embeds a crafted URL inside a comment. When the analyst clicks the hyperlink in the listing or decompiler view, cmd.exe parses the embedded metacharacters and executes the appended commands. Execution occurs in the security context of the Ghidra user, which on analyst workstations frequently holds local administrative rights or access to sensitive sample repositories.

Root Cause

The handler concatenates annotation strings into a cmd.exe /c start <url> invocation without applying argument escaping. Because cmd.exe treats & and | as command separators, any metacharacter in the URL terminates the intended start command and begins a new one parsed by the shell.

Attack Vector

Exploitation requires local user interaction. An attacker distributes a Ghidra project, .gzf archive, or shared listing containing a comment with an embedded URL such as https://example.com/&calc.exe. When the analyst clicks the annotation, Windows executes the trailing payload. No authentication or elevated privileges are required on the attacker side beyond convincing the victim to open the project and click the link. See the GitHub Security Advisory GHSA-5c38-3rf3-gp75 and the VulnCheck advisory for additional technical detail.

Detection Methods for CVE-2026-52750

Indicators of Compromise

  • Child processes of ghidraRun.bat, javaw.exe, or the Ghidra JVM spawning cmd.exe followed by unexpected binaries such as powershell.exe, certutil.exe, or rundll32.exe
  • URL strings inside Ghidra .gzf archives or XML exports containing shell metacharacters (&, |, ^, backticks)
  • Outbound network connections initiated immediately after a Ghidra annotation click event

Detection Strategies

  • Hunt for process trees where a Java process associated with Ghidra is the parent of cmd.exe with command lines containing start and additional chained commands.
  • Inspect Ghidra project archives received from external sources for annotations whose URL fields contain non-URL metacharacters.
  • Correlate user-initiated clicks in Ghidra with subsequent cmd.exe invocations on the same host within a short time window.

Monitoring Recommendations

  • Enable Windows process creation auditing (Event ID 4688) with command-line logging on analyst workstations.
  • Forward Sysmon Event ID 1 telemetry to a central analytics platform and alert on Ghidra JVM child processes that are not browser executables.
  • Restrict the import of untrusted Ghidra projects to isolated, monitored virtual machines.

How to Mitigate CVE-2026-52750

Immediate Actions Required

  • Upgrade Ghidra to version 12.1 or later on all Windows analyst workstations.
  • Avoid opening Ghidra projects, archives, or shared listings received from untrusted sources until patched.
  • Audit existing projects for annotations containing URLs with shell metacharacters and remove or sanitize them.

Patch Information

The National Security Agency addressed the issue in Ghidra 12.1 by properly escaping arguments passed to the Windows browser launch routine. Patch details and affected commits are referenced in GHSA-5c38-3rf3-gp75.

Workarounds

  • Run Ghidra inside a dedicated, non-privileged Windows account or an isolated virtual machine when handling untrusted samples.
  • Do not click URL annotations in projects of unknown provenance; copy the URL text and inspect it manually before navigation.
  • Apply Windows AppLocker or Windows Defender Application Control rules to block cmd.exe child processes spawned by the Ghidra JVM.
bash
# Example AppLocker-style restriction: block cmd.exe spawned by javaw.exe used for Ghidra
# Audit Sysmon rule (XML excerpt) for detection engineering
<Sysmon>
  <EventFiltering>
    <ProcessCreate onmatch="include">
      <ParentImage condition="end with">javaw.exe</ParentImage>
      <Image condition="end with">cmd.exe</Image>
    </ProcessCreate>
  </EventFiltering>
</Sysmon>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.